RFC: Release cosigned artifacts with cosign releases?

[n3wscott]

Description

I would like to do the work on releasing the cosigned webhook config (with signed image) independent of the helm chart.

I would like to know if anyone has a good reason for all the configuration options inside the helm chart? We can also ship the helm chart alongside the resolved release manifests without issues, it just means we will have two paths to install the webhook.

[hectorj2f]

@n3wscott The initial reason was to keep some consistency with the rest of helm charts. However we can have other arguments. I would ask @sabre1041.

[n3wscott]

@hectorj2f I am more asking for a non-helm option.

[jkjell]

@n3wscott any opinions or thoughts on the non-Helm solution? Just plain k8s manifests or something else?

[n3wscott]

@jkjell it should be not much harder than ko resolve and store that manifest as an artifact, attach it to the release. Then sign the image with cosign via ko publish.

Ko should produce the same images via the two commands. If signing lands anything in ko it will be one step.

We might want to think to do a friendly fork of ko in sigstore for kosign : ko+cosign.

[dlorenc]

I think @k4leung4 just did this one in #1414